b"                                                            United States Department of State\n                                                            and the Broadcasting Board of Governors\n\n                                                            Office of Inspector General\n\n\n\n                                                                      AUG 11 2011\n\n\nMEMORANDUM\n\nTO:           AlLM/AQM - Cathy 1. Read           /() _\n\nFROM:         OIG - Harold W. Geisel /ff/)/J\n\nSUBJECT:      Report on Audit ofthe Department ofState Tools To Guard Against and Track Cyber\n              Attacks Program Funded by the American Recovery and Reinvestment Act\n\nThe subject report is attached for your review and action. As the action office for the report's one\nrecommendation, please provide your response to the report and information on actions taken or\nplanned for the recommendation within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to follow-up and reporting in accordance with the attached compliance response\ninformation.\n\nThe Office of Inspector General (OIG) incorporated your comments as appropriate within the body\nof the report and included them in their entirety as Appendix C.\n\nOIG appreciates the cooperation and assistance provided by your staff during this audit. If you have\nany questions, please contact Evelyn R. Klemstine, Assistant Inspector General for Audits, at (202)\n663-0372 or Richard Astor, Division Director, at (703) 284-2601 or by email at astorr({v,state.gov.\n\nAttachment: As stated.\n\ncc: INRlEXlB&F\xc2\xad (b) (6)\n    MIPRI \xc2\xad (b) (6)\n      IRM/BMP/SPO/SPD \xc2\xad (b) (6)\n\x0c                                         UNCLASSIFIED\n\n\n\n\n                     United States Department of State \n\n                  and the Broadcasting Board of Governors\n\n                         Office of Inspector General\n\n\n\n                                       Office of Audits \n\n\n\n\n\n                              Audit of the \n\n                          Department of State \n\n                   Tools To Guard Against and Track \n\n                         Cyber Attacks Program\n\n                             Funded by the \n\n                 American Recovery and Reinvestment Act \n\n\n\n                                        AUD/CG-11-38 \n\n                                         August 2011\n\n\n\n\n                                          Important Notice\n\nThis report is intended solely for the official use of the Department of State or the Broadcasting\nBoard of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the\nDepartment of State or the Broadcasting Board of Governors, by them or by other agencies or\norganizations, without prior authorization by the Inspector General. Public availability of the\ndocument will be determined by the Inspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552.\nImproper disclosure of this report may result in criminal, civil, or administrative penalties.\n                                                   \xc2\xa0\n\n\n\n\n                                         UNCLASSIFIED\n\n\x0c                                                               United States Department of State\n                                                               and the Broadcasting Board of Governors\n\n                                                               Office of Inspector General\n\n\n\n\n                                            PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral's (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n        This report addresses the Department of State's (Department) compliance with Federal,\nDepartment, and American Recovery and Reinvestment Act of2009 (Recovery Act) acquisition\nmanagement practices as related to the Department's Tools To Guard Against and Track Cyber\nAttacks program. The report is based on interviews with Department employees and officials,\ndirect observation, and a review of applicable documents.\n\n        OIG contracted with the independent public accountant Clarke Leiper, PLLC, to perform\nthis audit. The contract required that Clarke Leiper perform its audit in accordance with\nguidance contained in the Government Auditing Standards, issued by the Comptroller General of\nthe United States. Clarke Leiper's report is included.\n\n       Clarke Leiper identified three areas in which improvements could be made: transparency\nof award notifications posted on the Federal Business Opportunities Web site (FedBizOpps.gov),\ncompliance with certain requirements established by the Office of Management and Budget, and\naccuracy of reporting by award recipients.\n\n        OIG evaluated the nature, extent, and timing of Clarke Leiper's work; monitored progress\nthroughout the audit; reviewed Clarke Leiper's supporting documentation; evaluated key\njudgments; and performed other procedures as appropriate. OIG concurs with Clarke Leiper's\nfindings. The recommendation contained in the report was developed on the basis of the best\nknowledge available and was discussed in draft form with those individuals responsible for\nimplementation. ~IG's analysis of management's response to the recommendation has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n                                      Harold W. Geisel\n                                      Deputy Inspector General\n\x0c                                             UNCLASSIFIED\n\n                                            CLARKE LEIPER PLLC\n                                         CERTIFIED PUBLIC ACCOUNTANTS\n                                               6265 FRANCONIA ROAD\n                                             ALEXANDRIA, VA 22310-2510\n                                                    703-922-7622\n                                                 FAX: 703-922-8256\nDORA M. CLARKE\nLESLIE A. LEIPER\n\n\n       Audit of Department of State Tools To Guard Against and Track Cyber Attacks Program Funded\n       by the American Recovery and Reinvestment Act\n\n\n\n       Office of Inspector General\n       U.S. Department of State \n\n       Washington, D.C. \n\n\n       Clarke Leiper, PLLC (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this letter), has performed an audit of the\n       Department of State\xe2\x80\x99s (Department) Tools To Guard Against and Track Cyber Attacks program\n       funded by the American Recovery and Reinvestment Act of 2009 (Recovery Act). We evaluated\n       the program\xe2\x80\x99s planned activities, contracts awarded with Recovery Act funds, and compliance\n       with reporting requirements established by the Recovery Act. This performance audit,\n       performed under Contract No. SAQMPD04D0033, was designed to meet the objective in the\n       report section titled \xe2\x80\x9cObjective\xe2\x80\x9d and further defined in Appendix A, \xe2\x80\x9cScope and Methodology,\xe2\x80\x9d\n       of the report.\n\n       We conducted this performance audit from April through November 2010 in accordance with\n       Government Auditing Standards, issued by the Comptroller General of the United States. We\n       communicated the results of our performance audit and the related findings and recommendation\n       to the Department of State Office of Inspector General.\n\n       We appreciate the cooperation provided by personnel in Department offices during the audit.\n\n\n\n\n       Clarke Leiper, PLLC\n       July 2011\n\n\n\n\n                                             UNCLASSIFIED\n\n\x0c                                   UNCLASSIFIED\n\n\n\n\n      Acronyms\n\nCyber Attacks program   Tools To Guard Against and Track Cyber Attacks program\nDepartment              Department of State\nDS                      Bureau of Diplomatic Security\nFAR                     Federal Acquisition Regulation\nFedBizOpps.gov          Federal Business Opportunities Web site\nFPDS.gov                Federal Procurement Data System Web site\nGFMS                    Global Financial Management System\nINR                     Bureau of Intelligence and Research\nIRM                     Bureau of Information Resource Management\nIRM/EA                   Office of Enterprise Architecture\nIRM/ENM                  Office of Enterprise Network Management\nIRM/IA                   Office of Information Assurance\nIT                      information technology\nOIG                     Office of Inspector General\nOMB                     Office of Management and Budget\nRecovery Act            American Recovery and Reinvestment Act of 2009\nTAS                     Treasury Account Symbol\nVOIP                    Voice Over Internet Protocol\n\n\n\n\n                                   UNCLASSIFIED\n\n\x0c                                                            UNCLASSIFIED\n\n\n                                                     TABLE OF CONTENTS\n\n\xc2\xa0\n\nExecutive Summary .............................................................................................................1 \n\n\nBackground ..........................................................................................................................2 \n\n\nObjective ..............................................................................................................................3 \n\n\nResults of Audit ...................................................................................................................3 \n\n\n       A. Program Objectives Are Being Accomplished .....................................................4 \n\n       B. Program Is Generally in Compliance With Recovery Act Requirements .............6 \n\n\nAppendices \n\n   A. Scope and Methodology.........................................................................................10 \n\n   B. Capital Investment Fund ........................................................................................13 \n\n   C. Bureau of Administration Response ......................................................................14 \n\n\n\n\n\n                                                            UNCLASSIFIED\n\n\x0c                                            UNCLASSIFIED\n\n\n                                        Executive Summary\n\n        The American Recovery and Reinvestment Act of 2009 (Recovery Act)1 provided\napproximately $64.2 million to fund the Tools To Guard Against and Track Cyber Attacks\n(Cyber Attacks) program to produce a more secure information technology (IT) infrastructure to\nprotect the Department of State\xe2\x80\x99s (Department) physical and logical information and assets. By\nimplementing a state-of-the-art secure IT infrastructure, the Department will enhance its ability\nto execute its diplomatic mission, serve the U.S. public, and strengthen its infrastructure from\ncyber security threats.\n\n       The objective of our audit was to determine whether the Department adequately\nimplemented Cyber Attacks program plans, achieved stated program outcomes, and complied\nwith the reporting requirements of the Recovery Act.\n\n        We found that program managers in the Bureaus of Information Resource Management\n(IRM), Diplomatic Security (DS), and Intelligence and Research (INR) have planned for and\nintegrated the Cyber Attacks program into the Department\xe2\x80\x99s existing cyber security initiatives.\nBecause the objectives of the Cyber Attacks program are part of an already existing IT Strategic\nPlan, much of the initial planning has already been approved. The plan includes appropriate\nfocus on accountability and other requirements of Recovery Act funds. In addition, the\nDepartment\xe2\x80\x99s plans were thorough and well thought out. There were no deviations or major\ndelays in execution of the plan.\n\n       The Department has taken appropriate actions in establishing guidelines intended to\nensure compliance with Office of Management and Budget (OMB) requirements for the\nRecovery Act. Contracts were awarded in accordance with the Federal Acquisition Regulation\n(FAR) and OMB memoranda.2 Procedures related to data transparency and reporting\nrequirements were established and implemented. While procedures related to data transparency\nand reporting requirements were established and implemented, a few minor issues of\nnoncompliance were identified for the Cyber Attacks program. Recovery Act transparency\nrequirements identifying the purpose, nature, and corresponding program for contract awards\nwere not met prior to posting or publicizing information. Also, some Recovery Act award\ninformation was not reported accurately.\n\n       We recommended that the Bureau of Administration, Office of Logistics Management,\nOffice of Acquisitions Management (A/LM/AQM), enhance its contract oversight efforts to\nensure more complete and accurate reporting of award information.\n\n      In its response to the draft report (see Appendix C), AQM concurred with the\nrecommendation. Based on the response, OIG considers the recommendation resolved, and it\n\n1\n Pub. L. No. 111-5, 123 stat. 115 (2009). \n\n2\n Memoranda M-09-10, Initial Implementing Guidance for the American Recovery and Reinvestment Act of 2009, \n\nand M-09-15, Updated Implementing Guidance for the American Recovery and Reinvestment Act of 2009.\n\n\n                                                     1\n\n                                            UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\nwill be closed pending review and acceptance of documentation for the actions OIG specified.\nThe response and OIG\xe2\x80\x99s analysis are presented after the recommendation.\n\n                                          Background\n        The American Recovery and Reinvestment Act of 2009 was signed into law as a direct\nresponse to the recent economic crisis in an effort to jumpstart the economy and invest in long-\nterm growth by creating or saving jobs and putting a down payment on addressing long-\nneglected challenges. The Department received $602 million of Recovery Act funds to create\nand save jobs, repair and modernize domestic infrastructure crucial to the safety of American\ncitizens, enhance energy independence, and expand consular services offered to American\ntaxpayers. The Recovery Act also established an unprecedented level of accountability and\ntransparency in U.S. Government spending. Agencies and contractors were subject to new\nreporting requirements set forth by OMB that allow the general public to view Recovery Act\nspending in a direct and timely manner. A summary of the Department\xe2\x80\x99s projects and a\nbreakdown of proposed spending of funds are shown in Table 1.\n\nTable 1. Department Projects and Proposed Spending of Recovery Act Funds\nDepartment of State \xe2\x80\x93 Account / Project                                          Funds (in 000s)\nDiplomatic and Consular Programs                                                            $90,000\n    - Hard Skills Training Center                                                            70,000\n    - Consular Affairs Passport Facilities                                                   15,000\n    - National Foreign Affairs Training Center                                                5,000\nCapital Investment Fund                                                                   $290,000\n    - Data Center                                                                           120,000\n    - IT Platform                                                                            33,500\n         Diplomatic Facility Telephone System Replacement                                    10,000\n         Replacement of Aging Desktop Computers                                              13,000\n         Mobile Computing                                                                    10,500\n    - Cyber Security                                                                         98,500\n         Tools To Guard Against and Track Cyber Attacks                                      64,205\n         Strengthen Computer Hardware Security Testing and Forensic\n         Investigations                                                                       4,000\n         Safeguarding Citizens \xe2\x80\x93 Computer Security Systems                                   25,366\n         Expanded Cyber Education                                                             4,929\n    - Transfer to U.S. Agency for International Development                                  38,000\nOffice of Inspector General                                                                 $ 2,000\nInternational Boundary and Water Commission Construction                                  $ 220,000\n                                                                      TOTAL               $ 602,000\nSource: Department of State.\n\n        The nature of the Department\xe2\x80\x99s mission makes it a target for cyber terrorists and hackers.\nThe Department serves the American public through the execution of its diplomatic mission and\nthe issuance of passports and visas to American citizens and foreign guests. A secure and\nmodern IT infrastructure is essential to the execution of those duties. Of the total $602 million in\n\n                                                 2\n\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\nRecovery Act funds provided to the Department, funds of approximately $64.2 million are\ndesignated to the Cyber Attacks program to produce a more secure IT infrastructure to protect\nthe Department\xe2\x80\x99s physical and logical information and assets. By implementing a state-of-the-\nart secure IT infrastructure, the Department will both enhance its ability to execute its diplomatic\nmission and serve the U.S. public and strengthen its infrastructure from cyber security threats.\n\n        The objectives of the Cyber Attacks program are key components of an existing cyber\nsecurity initiative that is part of the Department\xe2\x80\x99s long-term IT Strategic Plan. The Recovery Act\nfunds provided the Department the opportunity to supplement its existing efforts to accomplish\nsome of the key objectives of the cyber security initiative. These objectives are as follows:\n\n   \xef\x82\xb7 Produce a more secure infrastructure that protects the IT assets of the Department and\n     maintains the capability to expand support to its partners in the U.S. foreign affairs\n     community.\n   \xef\x82\xb7 Expand the capability to monitor, guard against, track, and respond to cyber attacks.\n   \xef\x82\xb7 Enhance the protection of personally identifiable information of U.S. citizens receiving\n     services from the Department.\n   \xef\x82\xb7 Modernize, standardize, and centralize the Department\xe2\x80\x99s domestic IT network.\n   \xef\x82\xb7 Fully integrate the Department\xe2\x80\x99s domestic and overseas IT networks through\n     reengineering, standardization, and deployment of a world-class, enterprise-wide network\n     and network security architecture.\n   \xef\x82\xb7 Provide technological improvements to, and enhance security for, the Department\xe2\x80\x99s\n     mobile computing platform.\n\n                                            Objective\n       The objective of our audit was to determine whether the Department adequately\nimplemented Cyber Attacks program plans, achieved stated program outcomes, and complied\nwith the reporting requirements of the Recovery Act.\n\n                                       Results of Audit\n       The Department has made progress in accomplishing Cyber Attacks program objectives\nand milestones. The success of the Cyber Attacks program was the result of collaboration\namong IRM, DS, and INR personnel, as well as other Department personnel and contractor staff.\nThe bureaus planned and integrated the Cyber Attacks program into the Department\xe2\x80\x99s existing\ncyber security initiative.\n\n       As of September 30, 2010, almost 100 percent of the $64.2 million in program funds had\nbeen obligated, and about half of the funds had been expended for contracts to support six major\nsubprojects: Hardening Department of State Infrastructure and Improved Defensive Sensors;\nSecurity Architecture, Support, and Oversight; Data Loss Prevention; Improved Defensive\nSensors, Hardening Infrastructure and Classified Systems Assessments; Sensitive\n\n\n\n                                                 3\n\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\nCompartmented Information Network Security; and Mobile Communications, Voice Over\nInternet Protocol (VOIP), Web Development, and Network Enhancements.\n\n        Overall, IRM program managers have complied with management and financial\noversight requirements of OMB. Also, funds were awarded and distributed in a prompt, fair, and\nreasonable manner. However, we noted several areas in which Recovery Act procedures were\nnot followed and contract data was not reported accurately.\n\nFinding A. Program Objectives Are Being Accomplished\n\n        Based on our inquiries of project management, review of supporting documentation, and\ntests for propriety of contract obligation and expenditure transactions, we determined that\nsatisfactory progress is being made on meeting program objectives. Recovery Act funds are\nappropriately accounted for and being used in accordance with approved program plans. The\nobjectives of the Cyber Attacks program do not encompass complete and discrete plans for the\nDepartment\xe2\x80\x99s existing cyber security initiative and IT Strategic Plan. These Recovery Act-\nfunded activities are only partial components of broader Department plans. Therefore, the Cyber\nAttacks program is meant primarily to supplement the Department\xe2\x80\x99s current efforts by funding\ncertain activities within those plans. We found no significant delays or funding issues in the\nCyber Attacks program with regard to activities funded by the Recovery Act. To complete all\ncomponents of the cyber security initiative as they relate to the Cyber Attacks program,\nadditional funding and resources will be required in FY 2011 and beyond. IRM officials project\nthat operation and maintenance costs to operate and manage the new infrastructure will be about\n$300,000 each year. This additional cost will cover the increased maintenance requirements.\nWhen cyber security projects are completed with a secure infrastructure serving all foreign\naffairs agencies, IRM officials stated that they believe they will realize savings because standard,\nmore secure systems and networks are less expensive to operate.\n\n       The Cyber Attacks program has resulted in collaboration among personnel of several\nDepartment bureaus, as well as Department personnel and contractor staff. The overall\nresponsibility and accountability of the program were managed by IRM\xe2\x80\x99s Office of Enterprise\nNetwork Management (ENM). IRM\xe2\x80\x99s Offices of Enterprise Architecture (EA) and Information\nAssurance (IA) are also involved in the Cyber Attacks program. DS and INR supported IRM\nand were responsible for designated parts of the program. These bureaus provided IRM with\nweekly updates for consolidated reporting purposes. The Cyber Attacks program comprises six\nsubprojects. The subprojects and respective responsible bureaus are shown in Table 2, and major\ncontracts are in Table 3.\n\n\n\n\n                                                 4\n\n                                        UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n\n\n\nTable 2. Cyber Attacks Program Subprojects and Responsible Bureaus\n Subprojects \xe2\x80\x93 Tools To Guard Against and Track\n                                                              Bureau          Obligated            Expended\n                 Cyber Attacks\n     Hardening Department Infrastructure and Improved\n1    Defensive Sensors\n        a. Network Access Controls & Perimeter Security            IRM       $ 39,713,695.55     $ 18,398,856.68\n        b. End-to-End Configuration Management\n        c. Centralized Patch Management\n        d. Domestic Network Modernization\n2    Security Architecture, Support, and Oversight                 IRM          5,404,679.51        3,107,444.62\n3    Data Loss Prevention                                          IRM          4,297,218.60        1,988,797.14\n4    Improved Defensive Sensors, Hardening Infrastructure,\n     Classified Systems Assessments                                 DS          6,754,501.33        4,532,709.22\n5    Sensitive Compartmented Information Network\n     Security                                                       DS          2,260,497.04        1,092,647.17\n6    Mobile Communications, VOIP, Web Development,\n     Network Enhancements                                          INR          5,773,226.73        3,130,396.04\n                                                    TOTAL                    $ 64,203,818.76     $ 32,250,850.87\nSource: Department of State.\n\nTable 3. Cyber Attacks Program Major Contracts\n          Award #                  Vendor            Awarded                          Services\n                                                                     Labor contract for project management and\n                                  Northrop\n                                                                     implementation of Functional Task 8, which\n                                  Grumman\n 1   SAQMPD07F0777                                 $20,898,670.20    encompasses IRM/ENM initiative for\n                                 Information\n                                                                     Hardening Infrastructure and Improving\n                               Technology, Inc.\n                                                                     Defensive Sensors.\n                                                                     Acquire services to support the Chief\n                                                                     Information Officer\xe2\x80\x99s planning organization\n                                                                     in the IT Capital Planning and Investment\n                               Allied Technology                     Control and Infrastructure Optimization\n 2   SAQMMA09L0369                                 $1,836,196.92\n                                   Group, Inc.                       Initiative Line of Business processes for the\n                                                                     Department, and support the Department in\n                                                                     tracking and evaluating current and\n                                                                     emergent technologies.\n                           Deloitte Consulting                       Acquire services to document, evaluate, and\n 2   SAQMMA09L0943                                 $2,599,953.19\n                                   LLP                               develop architecture and transition strategy.\n                                                                     Acquire services for enterprise-wide\n 2   SAQMMA10F0997                 WINS             $228,019.20\n                                                                     software monitoring and testing.\n                                                                     Develop new privacy policies related to the\n 3   SAQMMA09L0757                   SRA            $173,157.04\n                                                                     Data Loss Prevention program.\n                                                                     Acquire program management, enterprise\n                                  Booz Allen                         risk, and data analysis services to support\n 3   SAQMMA10L0391                                  $162,199.52\n                                 Hamilton Inc.                       IRM/IA\xe2\x80\x99s collaborative Data Loss\n                                                                     Prevention initiative.\n\n\n\n                                                        5\n\n                                                 UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n                                                                 Network Continuous Certification and\n                                                                 Accreditation Support Services. Initiation\n                                                                 and development of a new continuous\n                                Booz Allen\n 3   SAQMMA10L1038                               $2,880,476.95   certification and accreditation process to\n                               Hamilton Inc.\n                                                                 increase the use of automation and\n                                                                 monitoring in certification and accreditation\n                                                                 activities.\n                                                                 IT infrastructure security support and\n 4   SAQMMA08L3182                 SRA           $4,374,806.47\n                                                                 program management.\n                                 Mantech                         Evaluate existing systems and processes\n 5   SAQMMA08L1558             Information       $2,238,113.35   related to network security.\n                                 Systems\n                                                                 VOIP engineer to design/implement VOIP\n 6   SAQMMA09F2886               WINS             $239,986.18\n                                                                 infrastructure.\n                                                                 Systems engineers for network\n 6   SAQMMA09F3054               WINS             $864,122.20\n                                                                 enhancements/ modernization.\n 6 SAQMMA09F3062                 WINS             $749,163.20    Web site developers.\nSource: Department of State.\n\nFinding B. Program Is Generally in Compliance With Recovery Act\nRequirements\n\n         IRM program managers adequately planned for and managed the funds provided for the\nCyber Attacks program. Recovery Act funds were used for their intended purposes, and overall,\nthe Department complied with OMB requirements. We found funds were awarded and\ndistributed in a prompt, fair, and reasonable manner. Contractors and other fund recipients met\neligibility requirements and complied with award requirements. For example, fixed-price\ncontracts were awarded to American companies for hardware, software, and circuits in support\nof American high-technology companies. As required by the Recovery Act, separate Treasury\nAccount Symbols (TAS) were established for the Cyber Attacks program. As reported through\nthe Department\xe2\x80\x99s Capital Investment Fund, we verified that program funds had proper approvals\nand that the monitoring of subprojects and contracts was adequate, as shown in Appendix B,\n\xe2\x80\x9cCapital Investment Fund.\xe2\x80\x9d We noted, however, some minor instances in which Recovery Act\nprocedures were not followed and contract data was not reported accurately.\n\nNotifications on the Federal Business Opportunities Web Site\n\n        For the 25 contracts reviewed, we found that the majority of the FedBizOpps.gov\nnotifications did not provide adequate transparency or a clear understanding to the general public\nof the purpose, nature, and corresponding program of the procurements. The Department has\npublicized both its program plans and its contracts awarded with Recovery Act funds. However,\n19 award notifications did not reference specific program plans or objectives, making it difficult\nto determine which awards were made pursuant to the Department\xe2\x80\x99s Recovery Act programs. In\naddition, 17 award notifications did not include descriptions of the products or services that\ncould be readily understood by the general public.\n\n\n\n                                                      6\n\n                                               UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n          In that regard, OMB Memorandum M-09-153 states:\n\n          Agencies should ensure that their descriptions of procurements use language\n          appropriate for a more general audience, avoiding industry-specific terms and\n          acronyms without plain language explanations. Taxpayers, the media, and others\n          are using our business systems to gain insight on how Recovery Act funds are\n          being spent.\n\n       Transparency and accountability of Recovery Act funds are major requirements of the\nact. However, almost all program funds have been obligated. Therefore, we are not making any\nrecommendations for IRM to improve transparency for future procurements notifications\nreported through FedBizOpps.gov. Nevertheless, this deficiency prevented the general public\nfrom being able to identify procurements made pursuant to the Cyber Attacks program, since\ndescriptions within award notifications did not contain references or mention corresponding\nprograms.\n\nRecipient-Reported Data on Award Information\n\n       For the quarterly reporting period ended June 30, 2010, we identified the following\nawards in which recipient-reported data did not agree with source documentation:\n\n          \xef\x82\xb7\t Recovery Act funds of $14,366,103 awarded prior to the quarter ended June 30, 2010,\n             were not reported by recipients. This amount was based on four different awards.\n             The majority of this amount, $12,148,674, was attributable to a modification of an\n             existing award that was not reported by a recipient as of the end of the reporting\n             period.\n          \xef\x82\xb7\t For one award, duplicate reporting of a modification of $149,803 was included within\n             the contractor\xe2\x80\x99s report.\n\n        The FAR4 establishes reporting requirements for contractors receiving awards funded by\nthe Recovery Act. The information to be reported includes data such as cumulative amounts\nawarded, cumulative amounts spent, descriptions of goods and services, assessment of contractor\nprogress toward completion, and any subcontracting activity. Contractors receiving awards\nunder the Recovery Act are required to report quarterly on award information and activities using\nthe online reporting Web site FederalReporting.gov. This information is then uploaded from\nFederalReporting.gov to the Recovery.gov Web site for publicizing to the general public.\nDepartment personnel are required to review recipient-reported information every quarter to\nensure consistency with Department records. Therefore, as noted, recipient-reported data for the\nCyber Attacks program showed $14,366,102 as underreported and $149,803 as overreported.\n\n          Recommendation 1. We recommend that the Bureau of Administration\xe2\x80\x99s Office of\n          Logistics Management, Office of Acquisitions Management, ensure that contractors that\n\n3\n    OMB Memorandum M-09-15, pt. 6.2., p. 57 (April 3, 2009).\n\n4\n    FAR 52.204-11, \xe2\x80\x9cAmerican Recovery and Reinvestment Act-Reporting Requirements.\xe2\x80\x9d (March 2009) \n\n\n                                                       7\n\n                                             UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n        received awards from the American Recovery and Reinvestment Act for the Tools To\n        Guard Against and Track Cyber Attacks program provide accurate award information\n        and that the inaccurate award information identified in this report is corrected.\n\n        Management Response: AQM concurred with the recommendation, stating that the\n        bureau will research reported inaccuracies and provide OIG with an action plan to resolve\n        any discrepancies.\n\n        OIG Analysis: On the basis of the response, OIG considers the recommendation\n        resolved. OIG will consider the recommendation closed pending review and acceptance\n        of AQM\xe2\x80\x99s action plan.\n\nInstances of Noncompliance With Certain Office of Management and Budget\nRequirements\n\n       IRM generally followed OMB requirements for contracts supporting the Cyber Attacks\nprogram. However, we identified instances of agency noncompliance with OMB Memorandum\nM-09-15 concerning performance requirements in awarding contracts to contractors.\nSpecifically, for the 25 contracts reviewed, we noted the following instances of noncompliance:\n\n        \xef\x82\xb7\t The clause in the FAR (FAR 52.204-11)5 that specifies recipient reporting\n           requirements was not included in the award documents for one award.\n\n        \xef\x82\xb7\t Pre-solicitation and award notifications were not published on FedBizOpps.gov for\n           three awards. According to the FAR,6 agencies should publish both pre-solicitation\n           and award notifications on FedBizOpps.gov for the procurement of all goods and\n           services using Recovery Act funds.\n\n        \xef\x82\xb7\t On the Federal Procurement Data System Web site (FPDS.gov), five awards were not\n           identified as Recovery Act initiatives. According to the FAR,7 in addition to\n           publicizing contract and award actions on FPDS.gov, agencies should identify any\n           action funded in whole or in part by the Recovery Act in accordance with the\n           instruction at https://www.fpds.gov.\n\n        \xef\x82\xb7\t One contract had been awarded on a noncompetitive basis, which was not disclosed\n           in the special reporting section on the Web site Recovery.gov. The FAR8 requires\n           awards that are made on a noncompetitive and/or a non-fixed-price basis to be\n           disclosed in a special reporting section on Recovery.gov.\n\n\n\n5\n  Ibid. \n\n6\n  FAR 5.704, \xe2\x80\x9cPublicizing Pre-award,\xe2\x80\x9d and FAR 5.705, \xe2\x80\x9cPublicizing Post-award,\xe2\x80\x9d respectively. \n\n7\n  FAR 4.605, \xe2\x80\x9cContract Reporting - Procedures.\xe2\x80\x9d\n\n8\n  FAR 5.705(b). \n\n\n                                                        8\n\n                                             UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n        Since almost all program funds have been obligated and the noncompliance instances\ncited are primarily isolated, we are not making any recommendations in this area.\n\n\n\n\n                                              9\n\n                                      UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n                                                                                     Appendix A\n\n                                  Scope and Methodology\n       The Department of State (Department), Office of Inspector General (OIG), contracted\nwith Clarke Leiper, PLLC, independent public accountant, to audit the Department\xe2\x80\x99s Tools To\nGuard Against and Track Cyber Attacks (Cyber Attacks) program.\n\n        The purpose of this audit was to evaluate the Cyber Attacks program and assess the\nDepartment\xe2\x80\x99s planning and use of funds from the American Recovery and Reinvestment Act of\n2009 (Recovery Act) to meet program objectives, to ensure that Recovery Act funds were used\nfor their intended purpose, and to determine whether the Department complied with Office of\nManagement and Budget requirements. To ensure the adequacy of program plans and to ensure\nthat the Department used Recovery Act funds appropriately, we performed audit procedures to\ndetermine whether\n\n   \xef\x82\xb7   Funds were awarded and distributed in a prompt, fair, and reasonable manner.\n   \xef\x82\xb7   Recipients and uses of all funds were transparent to the public and the public benefits of\n       the funds were reported clearly and accurately and in a timely manner.\n   \xef\x82\xb7   Risks associated with the project receiving Recovery Act funding have been identified\n       and communicated to the Department.\n   \xef\x82\xb7   Funds were used for authorized purposes.\n   \xef\x82\xb7   The program has taken action to identify and mitigate instances of fraud, waste, error,\n       and abuse.\n   \xef\x82\xb7   Established schedules were monitored and delays were properly justified.\n   \xef\x82\xb7   Cost overruns and unnecessary delays were avoided and lessons learned were identified\n       to prevent recurrences.\n   \xef\x82\xb7   Program goals were achieved and specific program outcomes were realized.\n   \xef\x82\xb7   Contractors and other fund recipients met eligibility requirements and complied with\n       award requirements.\n   \xef\x82\xb7   Adequate planning was conducted for potential future project phases.\n\n        We conducted the audit work from April through October 2010. This work was\nconducted in accordance with generally accepted government auditing standards. Those\nstandards require that the auditors plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We and OIG believe that the evidence obtained provides a reasonable basis for the\nfindings and conclusions based on the audit objectives.\n\n        In our audit of the Department\xe2\x80\x99s Cyber Attacks program, we interviewed project\nmanagers and officials at the Bureaus of Information Resource Management, Diplomatic\nSecurity, and Intelligence and Research and evaluated documentation supporting planned\nactivities and milestones, risk assessments, and other relevant documents in support of major\naccomplishments or decisions. For compliance with Recovery Act requirements, we reviewed\n\n                                                10\n\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\ncontract files, award documentation, and information published on the Web sites Recovery.gov,\nFPDS.gov, and FedBizOpps.gov. In determining the proper use of Recovery Act funds, we\ntested sample transactions and reviewed related source documents, including purchase orders,\ncontracts, vendor invoices, and payment and approval vouchers.\n\n       In the draft report, we addressed the report\xe2\x80\x99s one recommendation to the Bureau of\nInformation Resource Management (IRM). However, IRM officials suggested that the Bureau of\nAdministration, Office of Logistics Management, Office of Acquisitions Management\n(A/LM/AQM), would be the more appropriate office to take action on this recommendation.\nTherefore, we redirected the recommendation in this final report to AQM, whose response in\npresented in Appendix C.\n\nWork Related to Internal Controls\n\n        To assess the adequacy of internal controls related to the weekly activity reports, the\naccountability of Recovery Act funds, and the monitoring of projects to avoid cost overruns and\ndelays, we performed the following actions:\n\n    \xef\x82\xb7   Obtained an understanding of the processes and procedures.\n    \xef\x82\xb7   Reviewed source documentation and other types of evidence in order to confirm the\n        adequacy of stated controls.\n    \xef\x82\xb7   Compared weekly report balances with details and reconciled differences in the Global\n        Financial Management System (GFMS).\n    \xef\x82\xb7   Reviewed internal reports related to the compilation of balances and amounts for\n        reporting to the public.\n    \xef\x82\xb7   Compared reported progress with information in the planning documents and progress\n        schedules.\n    \xef\x82\xb7   Determined that separate Treasury Account Symbols were established for Recovery Act\n        programs.\n    \xef\x82\xb7   Verified proper approval over transactions involving Recovery Act funds.\n    \xef\x82\xb7   Discussed with program managers issues regarding cost overruns and delays and\n        subsequently compared responses with expenditure details and program schedules to\n        assess the reasonableness of responses.\n\nData Reliability\n\n         We selected a sample and performed the following procedures in assessing data\nreliability and quality:\n\n   \xef\x82\xb7\t Reviewed contract files to determine whether contracts were competitively awarded and\n      at fixed cost.\n   \xef\x82\xb7\t Tested, if a contract was determined to have been awarded noncompetitively or at a non-\n      fixed cost, whether those contracts were disclosed and listed in a separate section on\n      Recovery.gov.\n\n                                              11\n\n                                       UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n   \xef\x82\xb7\t Reviewed, for each contract, corresponding notifications and award information\n      published on FedBizOpps.gov and FPDS.gov to determine whether all required Recovery\n      Act disclosures and identifying information were reported.\n   \xef\x82\xb7\t Reviewed, for each contract, the vendors\xe2\x80\x99 reported data from Recovery.gov to ensure that\n      all required information was included. We also compared vendor-reported amounts with\n      those within GFMS.\n   \xef\x82\xb7\t Compared weekly financial report balances with underlying schedules and GFMS details.\n\nUse of Computer-Processed Data\n\n       We used computer-processed data from GFMS to select sample items for testing\ncontracts and obligation and/or expenditure transactions. We also used GFMS details and\nreconciling schedules to compare the accuracy of balances reported within the Recovery Act\nweekly financial reports posted by the Department. We determined that the GFMS data and\nschedules were reliable based on our selected sample and our testing of internal controls\ninvolving the weekly reporting process.\n\n\n\n\n                                              12\n\n                                      UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n                                                                                         Appendix B\n\n                                   Capital Investment Fund\n    Funding from the Recovery and Reinvestment Act of 2009 (Recovery Act) for the\nDepartment of State (Department) is allocated among four separate Treasury Account Symbols\n(TAS), or funds. These funds were created to comply with the Recovery Act requirement of\ntracking and accounting for Recovery Act funds separately from other agency funds. All TASs\nand related activities are included within the Department\xe2\x80\x99s weekly financial reports. The\nDepartment obligated nearly 100 percent of the amount available for the Tools to Guard Against\nand Track Cyber Attacks program.\n\n    The Department\xe2\x80\x99s Capital Investment Fund (TAS 1119) is broken down into three sections\xe2\x80\x93\nthe data center, cyber security, and IT platform initiatives, as shown in Table 1. The Cyber\nAttacks program is tracked and recorded under the cyber security portion of the fund (TAS\n1119.0002), as shown in Table 2.\n\nTable 1. Department of State Capital Investment Fund\nDepartment of State \xe2\x80\x93 Capital Investment Fund                             Planned          Actual\n(TAS 1119)                                             Fund Code          Budgeted       Obligations\n    - Data Center                                      1119.0001          120,000,000      119,972,941\n    - Cyber Security                                   1119.0002           98,500,000       98,502,834\n    - IT Platform                                      1119.0003           33,500,000       33,499,148\n Transfer to U.S. Agency for International\n      Development (USAID)                                   -              38,000,000       38,000,000\n                                               TOTAL                   $ 290,000,000     $ 289,974,923\nSource: Department of State.\n\n\nTable 2. Cyber Security Portion of Capital Investment Fund\n                                                                                 Obligations as of\n             Cyber Security (TAS 1119.0002)                     Planned\n                                                                                    9-30-2010\nTools To Guard Against and Track Cyber Attacks                   $64,205,000          $ 64,203,789\nStrengthen Computer Hardware Security Testing and\nForensic Investigations                                             4,000,000             3,998,790\nSafeguarding Citizens \xe2\x80\x93 Computer Security Systems                  25,366,000            25,365,911\nExpanded Cyber Education\n                                                                   4,929,000               4,934,344\n                                                 TOTAL          $ 98,500,000            $ 98,502,834\nSource: Department of State.\n\n\n\n\n                                                  13\n\n                                             UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n\n                                                                                   Appendix C\n\n\n\n                                               United States Department of State\n                                               Washington, D.G. 20520\n\n                                               July \\9,2011\n\nUNCLASSIFIED\nMEMORANDUM\n\nTO:         OIG/AUD - Mark Taylor\n\nFROM:       Cathy   Rea~MlAQM\nSUBJECT: Draft Report on Audit of the Department of State Tools To Guard\n         Against and Track Cyber Attacks Program Funded by the American\n         Recovery and Reinvestment Act\n\nRecommendation 1: We recommend that the Bureau ofInformation Resource\nManagement, Office of Enterprise Network Management, ensure that contractors\nthat received awards from the American Recovery and Reinvestment Act for the\nTools To Guard Against and Track Cyber Attacks program provide accurate\naward information and that the inaccurate award information identified in this\nreport be corrected.\n\nAlLMlAQM response:\n\nAlLMlAQM will work with the OIG regarding the identified contracts/task orders\nand will research each reported inaccuracy. Once all procurement-related actions\nhave been researched and verified, AlLMlAQM will provide OIG with an action\nplan to resolve any discrepancies.\n\n\n\n\n                                UNCLASSIFIED\n\n\n\n\n                                        14 \n\n\n                               UNCLASSIFIED\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n\n         and resources hurts everyone. \n\n\n        Call the Office of Inspector General \n\n                     HOTLINE \n\n                    202-647-3320 \n\n                 or 1-800-409-9926 \n\n          or e-mail oighotline@state.gov \n\n       to report illegal or wasteful activities.\n\n               You may also write to\n            Office of Inspector General\n             U.S. Department of State\n               Post Office Box 9778\n               Arlington, VA 22219\n            Please visit our Web site at:\n                http://oig.state.gov\n\n         Cables to the Inspector General\n        should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n            to ensure confidentiality.\n\x0c"